Change "encryption" VTY parameter to allow more than one cipher
Currently the "encryption" parameter lets define which cipher is allowed by MSC, but only one can be allowed at a given time: "encryption a5 (0|1|2|3)"
In AoIP protocol, however, the cipher is negotiated between MSC<->BSC (BSC interesected with BTS and MS capabilities). Once "Authentication Response" reaches MSC with correct challenge response, the MSC sends a "Cipher Mode Command" to the BSC with a bitmask stating the allowed ciphers.
As we currently only set 1 cipher in config, only 1 bit can be enabled at a time in the bitmask, and if that mode doesn't match the one required by BSC/BTS/MS, then BSC will send a Reject and the modem will fail to connect.
We should be able to specify "encryption" parameter either as a bitmask or a list instead of a plain integer, eg:
encryption a5 <0..7> [<0..7>] [<0..7>] [<0..7>] [<0..7>] [<0..7>] [<0..7>]
encryption a5 0 1 3
#5 Updated by laforge over 2 years ago
- Assignee set to sysmocom
makes a lot of sense to me.
At the same time, we also have to take into consideration the capabilities of the BTS.So there is basically:
- capability of the phone in classmark (interpreted by the MSC, I suppose?)
- capability of the BTS (BSC should know based on BTS atttributes [new] or implicitly by BTS model / version)
- policy on the BSC (which ones are administratively permitted or not)
- policy on the MSC (which ones are administratively permitted or not)
All in all, it's a bit like codec support/negotiation, but luckily only with one leg/phone at a time.
In terms of defaults, we should probably have 1+3 as "administratively permitted" unless the config file/vty states something else.